#!/bin/bash
# {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
# {%- set CORTEXUSER = salt['pillar.get']('global:cortexuser', 'cortexadmin') %}
# {%- set CORTEXPASSWORD = salt['pillar.get']('global:cortexpassword', 'cortexchangeme') %}
# {%- set CORTEXKEY = salt['pillar.get']('global:cortexkey', '') %}
# {%- set CORTEXORGNAME = salt['pillar.get']('global:cortexorgname', '') %}
# {%- set CORTEXORGUSER = salt['pillar.get']('global:cortexorguser', 'soadmin') %}
# {%- set CORTEXORGUSERKEY = salt['pillar.get']('global:cortexorguserkey', '') %}

. /usr/sbin/so-common

default_salt_dir=/opt/so/saltstack/default

cortex_clean(){
    sed -i '/^  cortexuser:/d' /opt/so/saltstack/local/pillar/global.sls
    sed -i '/^  cortexpassword:/d' /opt/so/saltstack/local/pillar/global.sls
    sed -i '/^  cortexorguser:/d' /opt/so/saltstack/local/pillar/global.sls
}

cortex_init(){
    CORTEX_URL="http://{{MANAGERIP}}:9001/cortex/"
    CORTEX_API_URL="${CORTEX_URL}api"
    CORTEX_USER="{{CORTEXUSER}}"
    CORTEX_PASSWORD="{{CORTEXPASSWORD}}"
    CORTEX_KEY="{{CORTEXKEY}}"    
    CORTEX_ORG_NAME="{{CORTEXORGNAME}}"
    CORTEX_ORG_DESC="{{CORTEXORGNAME}} organization created by Security Onion setup"
    CORTEX_ORG_USER="{{CORTEXORGUSER}}"
    CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}"
    SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf"

    if wait_for_web_response $CORTEX_URL "Cortex" 120; then
        # Migrate DB
        curl -sk -XPOST -L "$CORTEX_API_URL/maintenance/migrate"

        # Create intial Cortex superadmin
        curl -sk -L "$CORTEX_API_URL/user" -H "Content-Type: application/json" -d "{\"login\" : \"$CORTEX_USER\",\"name\" : \"$CORTEX_USER\",\"roles\" : [\"superadmin\"],\"preferences\" : \"{}\",\"password\" : \"$CORTEX_PASSWORD\", \"key\": \"$CORTEX_KEY\"}"

        # Create user-supplied org
        curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "$CORTEX_API_URL/organization" -d "{  \"name\": \"$CORTEX_ORG_NAME\",\"description\": \"$CORTEX_ORG_DESC\",\"status\": \"Active\"}"
        
        # Create user-supplied org user
        curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" -L "$CORTEX_API_URL/user" -d "{\"name\": \"$CORTEX_ORG_USER\",\"roles\": [\"read\",\"analyze\",\"orgadmin\"],\"organization\": \"$CORTEX_ORG_NAME\",\"login\": \"$CORTEX_ORG_USER\",\"key\": \"$CORTEX_ORG_USER_KEY\" }"

        # Enable URLScan.io Analyzer
        curl -sv -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "$CORTEX_API_URL/organization/analyzer/Urlscan_io_Search_0_1_0" -d '{"name":"Urlscan_io_Search_0_1_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2}}'

        # Enable Cert PassiveDNS Analyzer
        curl -sv -k -XPOST -H "Authorization: Bearer $CORTEX_ORG_USER_KEY" -H "Content-Type: application/json" -L "$CORTEX_API_URL/organization/analyzer/CERTatPassiveDNS_2_0" -d '{"name":"CERTatPassiveDNS_2_0","configuration":{"auto_extract_artifacts":false,"check_tlp":true,"max_tlp":2, "limit": 100}}'
    	
        # Revoke $CORTEX_USER key
        curl -sk -XDELETE -H "Authorization: Bearer $CORTEX_KEY" -L "$CORTEX_API_URL/user/$CORTEX_USER/key" 

        # Update SOCtopus config with apikey value
        #sed -i "s/cortex_key = .*/cortex_key = $CORTEX_KEY/" $SOCTOPUS_CONFIG

        touch /opt/so/state/cortex.txt
    else
        echo "We experienced an issue connecting to Cortex!"
        exit 1
    fi
}

if [ -f /opt/so/state/cortex.txt ]; then
    cortex_clean
    exit 0
else
    if wait_for_web_response http://{{MANAGERIP}}:9400/_cluster/health '"status":"green"' 120; then
        cortex_init
        cortex_clean
    else
        echo "TheHive Elasticsearch server is not ready; unable to proceed with Cortex init."
        exit 1
    fi
fi
